Skip to main content

What is FIPS?

The Federal Information Processing Standards (FIPS) are U.S. government standards for cryptographic modules, defined by the National Institute of Standards and Technology (NIST). FIPS compliance is often required for organizations in:
  • Government and defence
  • Healthcare and life sciences
  • Financial services
  • Critical infrastructure
For API management in regulated sectors, FIPS matters because it ensures that only approved cryptographic algorithms are used for data in transit, that token signing and key hashing operations use validated methods, and that your deployment meets regulatory requirements when FIPS is mandated.

Tyk FIPS Offering

Tyk’s FIPS-compliant products are available as a paid Enterprise Edition FIPS add-on (EE-FIPS). Please speak to your account manager for access. Subject to the terms of this policy, and our wider FIPS terms, the following components are available in FIPS-compliant form (the “FIPS Products”):
  • Tyk Gateway
  • Tyk Dashboard
  • Tyk Pump
  • MDCB
  • Tyk Sync
  • Tyk Operator (images only; packages are not generated for Operator)
  • Kubernetes bootstraps
  • Tyk Enterprise Developer Portal
FIPS Products are distributed separately and are identifiable by the -fips suffix (e.g. tyk-gateway-fips, tyk-pump-fips). FIPS Products are available on the current LTS, LTS-1, and latest feature branch. We recommend staying on the current LTS for the most stable and regularly patched FIPS releases. See the LTS policy for details.

FIPS Standard by Version

Compliance posture depends on the software version. See below for version-specific details. 5.13.X will become our next LTS version in the summer of 2026. Please refer to this page for exact timelines
  • Targets FIPS 140-3 compliance
  • Available as Docker Hardened Images (DHI) or native OS packages (RPM/DEB)
  • Both formats deliver the same FIPS 140-3 compliant application-layer cryptography
  • DHI builds additionally use a FIPS-validated base image, are STIG-compliant, and include enterprise supply chain security controls (SLSA Level 3 build provenance, signed SBOMs, and cryptographic image signatures)
  • Native packages deliver the core FIPS-compliant cryptographic binaries but do not include a certified base image or supply chain attestations
Version 5.8.x (LTS-1, in Maintenance Support from the point 5.13.X is anointed at LTS, summer of 2026)
  • Targets FIPS 140-2 compliance
  • Available as RPM/DEB packages only using the BoringCrypto cryptographic module
  • Not built on a FIPS-certified base image
  • Compliance applies to the packaged binaries only; it does not extend to the container image, plug-ins, or surrounding environment
  • Does not include DHI supply chain attestations (SLSA/SBOMs)
If your organisation has regulatory obligations requiring FIPS 140-3, a certified base image, or supply chain attestations, you should be on version 5.13.x or later using Docker Hardened Images. Contact your Tyk account team for upgrade planning support.

What “FIPS-compliant” means

Please note that the FIPS Products have not been submitted to a NIST testing lab for validation and Tyk is not FIPS certified. FIPS-compliant means that the FIPS Products only use FIPS 140-3 approved cryptographic algorithms when running in FIPS mode, and are built on a FIPS-certified base image. This is only available to specific Tyk-built products as detailed in this policy. In particular:
  • The FIPS Products use Go 1.25’s native FIPS implementation to provide FIPS 140-3 validated cryptographic operations. See Go FIPS 140-3 documentation for more details.
  • These packages are distributed separately, identifiable by the -fips suffix (e.g., tyk-gateway-fips, tyk-pump-fips).
  • The FIPS Products have not been submitted to a NIST testing lab. They are therefore FIPS-compliant, as per the above definition, but are not FIPS-certified.
  • Tyk’s FIPS-compliant packages are only available to customers who have purchased the right to access and use Tyk’s FIPS Products via an Enterprise Edition FIPS add-on (a “EE-FIPS add-on”). Tyk’s EE-FIPS add-on is provided via a Tyk Global Order Form and is subject to Tyk’s latest FIPS policy.
  • At all times, customers remain responsible for ensuring compliance with their overall deployment, configuration, infrastructure, and the use of the FIPS Tyk Products.
In addition to being FIPS-compliant, our DHI is also STIG-compliant (Security Technical Implementation Guide). Alongside, we’ve introduced Enterprise-grade supply chain security, including SLSA Level 3 build provenance, signed SBOMs, and cryptographic signatures for the base image.

Important Notes

Use of Tyk’s FIPS Products is conditional on:
  • A signed EE-FIPS add-on via a Tyk Global Order Form
  • Acceptance of any additional terms specific to FIPS releases

FAQ

No. Version 5.8.x targets FIPS 140-2 using BoringCrypto and is not built on a certified base image. Version 5.13.x and later targets FIPS 140-3 using Go’s native cryptographic implementation, is delivered as Docker Hardened Images with a FIPS-validated base layer, and includes supply chain attestations. If your requirements specify FIPS 140-3, a certified base image, or SBOMs, you need 5.13.x or later.
No. Tyk’s products have not been submitted to a NIST testing laboratory. They are FIPS-compliant, by Tyk’s definition. See What “FIPS-compliant” means for further information.
No. Access to FIPS Products requires a signed EE-FIPS add-on. Please contact your account manager.